Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Command authorization issue.

Hello.

I'm using commands authorization with Cisco Secure ACS 4.1. This morning I'm going to set the MOTD and entries fail because my banner starts with a blank.

The shell command set that I'm using is a "permit unmatched commands".

Any idea?

Thanks.

Andrea

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Command authorization issue.

What you're experiencing is a known defect:

CSCtg38468    cat4k/IOS: banner exec failed with blank characters

Symptom:

%PARSE_RC-4-PRC_NON_COMPLIANCE:

The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.

Conditions:

Problem happens, when AAA authorization is used together with TACACS+

Workaround:

Make sure there is no blank character at the begining of line in the banner message.

Problem Details: trying to configure banner exec with blank character at beginning of line failed.

This happens when configuring the banner exec via telnet/ssh !

When configuring the same banner exec via console-port, everything is fine.

Note the blank characters at beginning of each line. When removing those, banner exec works fine.

Again, this was working till IOS version 12.2(46)SG.

Beginning with 12.2(50)SG1 and up, the behaviour has changed.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
6 REPLIES
Cisco Employee

Command authorization issue.

1. Could you please provide the exact command you're executing on the IOS?

2. Screen shot of command authorization set from ACS > shared profile component.

3. Error you're seeing in reports and activity > tacacs administration section.

4. debug tacacs and debug authorization from the CLI.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: Command authorization issue.

Hello Jatin, hello Ravi.

I'm able to reproduce this authorization issue with a 3750 stack running 12.2(55)SE1, IPSERVICEK9.

Another stack running 12.2(44)SE2 works fine.

All stacks run with the same AAA model.

I try to set MOTD but when bannet text starts with a blank the entry fails.

sw-bcve11(config)#banner motd ^

Enter TEXT message.  End with the character '^'

L'accesso a questo dispositivo e' consentito solo al personale autorizzato.

                 E' proibito ogni accesso non autorizzato

Command authorization failed.

      Access to this equipment is allowed only to authorized personnel.

Command authorization failed.

                        Unauthorized use is prohibited

Command authorization failed.

^

sw-bcve11(config)#

Removing all initial space resolves the issue.

Attached you can find command set (permit any command), T+ log and debugs.

Many many thanks for your help.

Regards.

Andrea

Cisco Employee

Re: Command authorization issue.

What you're experiencing is a known defect:

CSCtg38468    cat4k/IOS: banner exec failed with blank characters

Symptom:

%PARSE_RC-4-PRC_NON_COMPLIANCE:

The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.

Conditions:

Problem happens, when AAA authorization is used together with TACACS+

Workaround:

Make sure there is no blank character at the begining of line in the banner message.

Problem Details: trying to configure banner exec with blank character at beginning of line failed.

This happens when configuring the banner exec via telnet/ssh !

When configuring the same banner exec via console-port, everything is fine.

Note the blank characters at beginning of each line. When removing those, banner exec works fine.

Again, this was working till IOS version 12.2(46)SG.

Beginning with 12.2(50)SG1 and up, the behaviour has changed.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: Command authorization issue.

Fine!

I don't remember to check bug!

Many many thankd Jatin!

Regards.

Andrea

Cisco Employee

Re: Command authorization issue.

Happy to help

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Cisco Employee

Command authorization issue.

The information you have provided is too less please provide the information requested by Jatin.

2830
Views
0
Helpful
6
Replies